Dear RJI

thanks for the reply,

Attached are the logs,

I have already enabled on the tunnel-group certificate authentication  but how this tunnel-group will authenticate to the trustpoint, if I am not wrong by this command ssl trust-point LAB_PKI OUTSIDE, this command is already enabled on my ASA for the ssl vpn, and the trustpoint is signed by the global sign with common name as a CN=<outside interface public ip>

I created a signing request from the windows PC and I get it signed by the global sign CA,

when I initiate a request from the client the certificate authentication fails and says no trustpoint found, actually it authenticates on basis of what for the user ??? by the basis of username or on basis of what ??

Dear

here is the attached

Are you using the Trustpoint GS_Intermediate ASDM_TrustPoint0?

Or Trustpoint SSL_VPN? - this trustpoint is not authenticated, but the issuer is Globalsign also.

The certificate with hostname = FW.xyz.gov.om is associated to Trustpoint: self, which is obviously incorrect.

I assume your intention is to issue certificates to the ASA and users from the Globalsign CA?

Dear RJI

The SSL_VPN trust point, recently I get it signed by global sign becz when users are accessing the https://public ip of the outside interface for the VPN they use to get the certificate error so I get it signed by the CA and the CN=X.X.X.X <public IP>

Now my goal is to authenticate anyconnect client users by certificate and local authentication, so how I can do that.

how I shld get the ssl_vpn trustpoint authenticated ???

group-policy CERT internal
group-policy CERT attributes
 dns-server value 172.31.20.24
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value slit-tunnel
 default-domain value xyz.local
 split-dns value xyz.gov.om
 address-pools value easypool
 webvpn
  anyconnect modules value posture
  anyconnect ask none default anyconnect

tunnel-group CERT type remote-access
tunnel-group CERT general-attributes
 address-pool easypool
 default-group-policy CERT

tunnel-group CERT webvpn-attributes
 authentication certificate
 group-alias CERT enable

ssl trust-point SSL_VPN outside

I have the root CA of the global sign,i have just added their intermediate but not their root so this is the reason it is showing me as a not authenticated ??

I will enter the root certificate now

thanks

Dears

It is failing to add by the below error

INFO: Certificate has the following attributes:
Fingerprint: c5efg849 ca043355 e32dba1a c44eb028
Do you accept this certificate? [yes/no]: yes
% Error in saving certificate: status = FAIL

what I have to do ?? , the other Global sign intermediate is doing nothing in the configuration I guess please correct me if I m not wrong,

 I want to know for each user I have generate csr and get it signed by the CA ??  for example lets assume after ca signed the csr for the user A and he will install in the trusted root certificate personal folder, the same certificate cant be used for another user, how unique this user will be identified by the ASA in the certificate OR  the CSR which is generated from the PC makes the authentication successful  regardless who the user it is ??

Please elaborate

please find the file attached for the trustpoint, actual I made a mistake in installing the file I used different  trustpoint names

Cannot provide the debug itself I am out of the office,

crypto ca authenticate SSL_VPN

< and I am pasting the entire root certificate of the GS>

quitsend an output of the commands you run and the debug information ??? which command ??

I managed to install the root certificate and now it is in the authenticated status, we send the debugs tomorrow for certificate authentication failure.

thanks

Dear RJI

just want to tell you that the actual root certificate was giving me an error so I authenticated with an Intermediate certificate provided by the CA and it worked,

before authentication of the intermediate certificate  I already did the enrollment of the CSR , i don't have access to the FW to checks the debugs y still the certificate ssl vpn users are still failing.

Also it will be appreciable if u can answer my question asked in above thread, to have a clear visibility.

Thanks